Secured Sockets Layer Encryption:
Most Web and network security professionals are aware of Secured Sockets Layer (SSL) Certificates and the critical part they play in your comprehensive Web security platform. Yet, many of these same professionals have little or incorrect understanding of an extremely important protocol within SSL encryption, one with the potential to radically alter the level of protection offered to any given Web site’s visitors. That protocol is Server Gated Cryptography, or SGC. Using an SGC-enabled SSL Certificate increases the encryption level available to many site visitors and in fact ensures that the most possible site visitors will connect at 128-bit encryption or stronger.
This technical paper details the effect SGC has on the encryption levels your site can offer to its visitors. You will learn which client systems connect at which encryption levels and how to offer the strongest encryption available to each site visitor. Also, you will learn where to obtain SGC-enabled SSL Certificates for your Web site.
Two Levels of SSL Encryption
SSL encryption occurs at two basic levels, which for purposes of this discussion we can think of as the low level of encryption and the high level. Low-level SSL encryption is encrypted at either 40 or 56 bits. High-level SSL encryption occurs at a full 128 or 256 bits. Whether a given SSL session occurs at the low or the high level of encryption depends on both the configuration of the client system and the type of SSL Certificate in place on the Web server. Many client systems are unable to take advantage of full 128-bit SSL encryption unless an SGC-enabled certificate is in place.
The difference between these encryption levels is dramatic. 128- bit encryption offers 288 times as many possible combinations as 40-bit encryption, which is approximately equal to 300 septillion (300,000,000,000,000,000,000,000,000) times stronger. That’s over a trillion times a trillion times stronger.
The most common form of encryption breaking is “brute force” computation, the inputting of every possible variable into a prompt until the right one comes up. In 1997, 40-bit SSL was broken in about four hours by a college student using this method, and nowadays it can be broken by a hacker with the right skills and a high-end home system in a matter of minutes. If this same hacker were to attack a 128-bit SSL session, it would take well over a trillion years to break that session.
Factors Determining Encryption Level
Exactly which clients will step up to 128-bit SSL encryption and which will not is determined not only by the browser version that client is running but also by the operating system on that machine. Either of these factors can cause a client system to fail to step up. It’s important to note that these configuration issues exist entirely on the computer that is visiting the Web site; the server’s hardware, software, and operating system have no influence over a given visitor’s ability to step up to 128-bit encryption.
Browsers fall into three categories. The first is those that are simply incapable of connecting at 128 bits. These browsers are so extremely old that they were released before the capability was available, and no SSL Certificate in existence can connect to them with 128-bit encryption. These browsers include Internet Explorer versions prior to 3.02 and Netscape prior to 4.02. Clients running these extremely old browsers are the only visitor machines that will ever connect to an SGC-enabled SSL Certificate at less than 128-bit encryption. These obsolete browsers are extremely rare today.
The second category of browsers is still old but not as old as the first. These browsers include Internet Explorer versions after 3.02 but before 5.5 and Netscape versions after 4.02 and up through 4.72. They enjoy 128-bit encryption when connecting with SSL Certificates enabled for SGC and fail to use 128-bit encryption when connecting with SSL Certificates that are not. These old browsers are present on well under half the systems in use today but still have a significant presence in the market.
Finally, we have the newest browsers, Internet Explorer starting with version 5.5 and Netscape versions after 4.72. These browsers are capable of providing 128-bit encrypted sessions for both types of SSL Certificate—so long as the operating system allows it.
